GHSA-3824-qmfq-2qv7
SurrealDB no JavaScript script function default timeout could facilitate DoS
Blast Radius
surrealdb🦀surrealdb🦀surrealdbReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects crates.io packages — download data is not available via public APIs for these ecosystems.
Description
Through enabling the scripting capability. SurrealDB allows for advanced functions with complicated logic, by allowing embedded functions to be written in JavaScript.
These functions are bounded for memory and stack size, but not in time. An attacker could launch a number of long running functions that could potentially facilitate a Denial Of Service attack.
This vulnerability can only affect SurrealDB servers explicitly enabling the scripting capability with --allow-scripting or
--allow-all and equivalent environment variables SURREAL_CAPS_ALLOW_SCRIPT=true and SURREAL_CAPS_ALLOW_ALL=true.
This issue was discovered and patched during an code audit and penetration test of SurrealDB by cure53, the severity defined within cure53's preliminary finding is Low, matched by our CVSS v4 assessment.
Impact
An attacker can use the scripting capabilities of SurrealDB to run a series of long running functions to facilitate a Denial Of Service attack.
Patches
A default timeout for the scripting functions has been implemented with a configurable SURREAL_SCRIPTING_MAX_TIME_LIMIT environment variable
- Versions 2.0.5, 2.1.5, 2.2.2 and later are not affected by this issue.
Workarounds
For users that cannot upgrade. Deny execution of embedded scripting functions through the configuration of capabilities by starting SurrealDB with the --deny-scripting flag or the equivalent environment variable SURREAL_CAPS_DENY_SCRIPT=true. This has a usability implication, although scripting functions are disabled by default.
References
5597 SurrealDB Documentation - Capabilities SurrealQL Documentation - Scripting Functions
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🦀crates.io | surrealdb | ≥ 2.2.0&&< 2.2.2 | 2.2.2 |
| 🦀crates.io | surrealdb | all versions | 2.0.5 |
| 🦀crates.io | surrealdb | ≥ 2.1.0&&< 2.1.5 | 2.1.5 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for surrealdb. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update surrealdb to 2.2.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-3824-qmfq-2qv7 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-3824-qmfq-2qv7 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-3824-qmfq-2qv7. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-3824-qmfq-2qv7 in your dependencies?
O3 detects GHSA-3824-qmfq-2qv7 across crates.io dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.